Saturday, February 14, 2009

The quarter-million dollar award Microsoft is offering for information that leads to the arrest and conviction of those responsibile for unleashing the "Conficker" worm may represent the culmination of what security experts say has been an unprecedented and collaborative response from industry, academia and Internet policy groups aimed at not just containing the spread of this worm, but also in creating a playbook for dealing with future digital pandemics.

Estimates of how many systems infected by Conficker, a contagion that has exploited Microsoft Windows PCs over the past few months, vary widely, from 2 million to more than 10 million machines. Microsoft estimates that at least 3 million PCs worldwide remain infected.

Rather, security experts say the worm may be the first stage of a larger attack. By using a mathematical algorithm, Conficker can tell infected systems to regularly contact a list of 250 different domain names each day.

Phillip Porras, director of the computer security lab at SRI International, also began tracking Conficker domains in late November. Porras and his team learned they could determine sets of domains sought by Conficker host systems in the past or the future, merely by rolling back or forward the system date setting on Microsoft Windows systems that they had purposely infected in their test lab.

But it's too soon for the community to declare victory, Wesson said. The next domain-based worm could significantly ratchet up the number of domains, and thereby sideline a large number of Web site names that might otherwise be commercially viable and sought after by legitimate Internet users.